Corporate governance and open communication between the audit committee and the chief audit executive (CAE) are critical in today's business environment. In addition, audit committee members' obligations continue to expand beyond the historical responsibilities related to financial reporting to organizational risk and internal controls. Audit committees should find ways to demonstrate and document fulfillment of their oversight responsibilities. Although the CAE may participate in audit committee meetings with executives and the external auditor, executive sessions held with only the audit committee and CAE help enhance oversight.
Audit committee meeting agendas frequently are overflowing, leaving little time for executive sessions. As a result, these sessions may become ad hoc rather than systematic. The irregular executive session raises the specter that the CAE "requested" the session, and frequently results in the CAE placed in potential conflict with management. Instead of having the audit committee chair ask the CAE during the meeting if there is a need for an executive session, it is a best practice that the audit committee holds executive sessions with the CAE at each in-person audit committee meeting. This practice should help improve audit committee oversight quality by helping to ensure reporting independence of the internal audit function.
More frequent executive sessions likely will result in shorter sessions and enhance the ability of the audit committee and CAE to candidly discuss information. Regular executive sessions also should help reduce concerns of independent and transparent communications, while setting the appropriate tone for private audit committee interactions with the CAE at each meeting. Once the process is established, it is important to allocate sufficient time to adequately discuss issues and ask questions. This will enable the audit committee to document its due diligence relative to oversight.
Executive sessions held with only audit committee members and the CAE provide increased assurance of direct communication. Although the session's occurrence should be documented, the specific details should not be delineated within meeting minutes. Furthermore, the audit committee chair should respect the confidential nature of the meeting and should not quote the CAE in discussions with management. However, the CAE should be aware that strict confidence might not always be practicable. As a result, it is important that the CAE also keep management informed about key matters discussed to prevent management from being blindsided. Establishing open and separate dialogue with both management and the audit committee frequently assists the CAE in getting matters of concern addressed by management before the executive session.
The format of the executive session should be two-way. The CAE should provide information relevant to the audit committee in executing its oversight responsibility. Also, the session should provide audit committee members an opportunity to address their concerns, request information, and gain additional insight. CAEs also should ensure their concerns are addressed (e.g., staffing, budgets, and personnel issues), including specific matters not already covered in the meeting.
Providing the audit committee with discussion questions for executive sessions can help demonstrate the value of these meetings and set the tone (see "Executive Session Questions," this page). The CAE can guide discussions while also providing the audit committee with items for consideration.
Executive sessions provide several benefits for CAEs and audit committee members. Specifically, systematic executive sessions facilitate more meaningful meetings through the unfiltered flow of information. This helps ensure more independent and thorough discussions, thereby improving rapport among participants.
The executive session helps ensure the audit committee receives unfiltered information from the CAE to effectively carry out oversight responsibilities. Furthermore, the audit committee can inquire into the "why" and "what" auditors are reporting to enhance understanding of risks. Additionally, it allows CAEs to provide informal input regarding concerns. Although it may not guarantee adequate resources, it provides the opportunity for noting the adequacy of resources to effectively carry out the audit plan and risk of failing to do so.
Executive Session Questions
Providing the audit committee with questions can help demonstrate the value of executive sessions and set the tone for open dialogue. The questions are divided into two groups based on suggested frequency.
- Are you free from undue influence in the audit selection process?
- Do you have any scope limitations?
- Have you received cooperation relative to
- Has management provided full cooperation
- during audits conducted?
- Are you aware of any activity inconsistent
- with our values that went unreported?
- Have changes been made to internal audit
- reports that might dilute the message?
- Have all material weaknesses in internal
- control been reported and resolved?
- Are there significant issues we need to
- Is there anything we need to know to
- fulfill our responsibilities?
- How would you assess the tone at the top?
- Do you have adequate resources to effectively implement the audit plan?
- Is there anything that troubles you about
- the organization?
- Is any group or person creating challenges for,
- or not supporting, sound internal controls and ethical behavior?
- Are you receiving adequate support from the external auditors?
- Does the charter reflect best practices or are revisions needed?
- Has internal audit complied with its charter, The IIA's International Professional Practices Framework, and the company's code of ethics?
- Do you have sufficient organizational independence to achieve your objectives?
- Does management provide sufficient administrative support?
- Does the company have the right priorities?
- Have any significant risks been identified that may prevent the organization from achieving goals?
- What are the primary concerns related to the enterprise risk management processes?